On Thursday 3rd of March 2022, Avast, a Czech cybersecurity software firm announced that they had released a free decryption tool for HermeticRansom ransomware which has been observed being used in targeted attacks against Ukrainian systems. Avast first observed the ransomware strain on the 24th of February 2022 as it was found accompanying the data wiper HermeticWiper.
Based on analysis of the ransomware by multiple cyber security organisations, it is believed that the ransomware strain acts as a decoy for the wiper attacks instead of being used for financial extortion. According to the analysis by Crowdstrike, there is a weakness which has been found in the crypto schema and therefore can be decrypted for free. Crowdstrike has released a script which can decrypt files encrypted by HermeticRansom. The weakness is believed to be due to “the malware author was either inexperienced writing in Go or invested limited efforts in testing the malware”. Avast has released a GUI decryptor that makes it easier to decrypt files encrypted by HermeticRansom as Crowdstrike’s script is not easy for everyone to use it in the current world situation.